I think Yves meant, that there's no way to password-protect individual EC2 credentials, not SSH keys.
The least-bad thing I've been able to think of, is making sure the credentials are rotated regularly, and stored in such a way that it's not too much of an inconvenience when you have to change them once a month. (Write all your Amazon scripts in such a way that they pull in a single file with the Amazon API keys, IAM credentials, whatever, so that when you change them you only have to change them in one place and they can be changed relatively quickly when needed.) David Smith -----Original Message----- From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On Behalf Of Edward Ned Harvey (lopser) Sent: Tuesday, February 18, 2014 3:49 PM To: Yves Dorfsman; t...@lopsa.org Subject: Re: [lopsa-tech] Protecting EC2 key pair > From: Yves Dorfsman [mailto:y...@zioup.com] > > - you cannot password them What are you talking about? Did you read the second half of my post? Yes, you absolutely can password protect ssh keys, even if you started with a non-protected key. What's a better idea, anyway, is that each user should generate his/her own personal private keypair, saved securely with their own password encryption, and a comment that uniquely identifies the user. That way, when you have employee turnover, you just remove his/her personal public key from the servers. If everyone is using the same keypair, you have no reliable way of locking out former users. _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
